The latest version of the app tested leaves forensic trace of all of your chats, even after you’ve deleted, cleared, or archived them… even if you ‘Clear All Chats.’ In fact, the only way to get rid of them appears to be to delete the app entirely.
Advertisement
As the researcher said: “The core issue here is that ephemeral communication is not ephemeral on disk”.
Zdziarski has discovered that, when a user deletes a WhatsApp conversation, SQLite’s normal mode of operation is to mark the data as deleted and add it to a “free list” of database entries that can be re-written by other information, instead of actually wiping the data from its index.
This basically means that WhatsApp is leaving behind a forensic footprint which can be recovered and reconstructed back to its original form.
WhatsApp did not respond to a request for comment, said The Verge.
Those relying on using iTunes’s “Encrypt Backups” option on desktop backups, rather than backing up to iCloud, could fall foul of forensics tools created to hack passwords, he added.
Zdziarski says that data was left behind no matter what deletion method was used: archiving, clearing or deleting threads – and he suggests that the same flaw is present in iMessages … He recommends people either delete the app and reinstall it periodically, set an encryption password for iTunes backup, or disable iCloud.
If the user stores this backup password in the Apple Keychain utility, then there are forensics tools that can leak the content of the Keychain and allow access to the WhatsApp SQLite database.
Advertisement
According to Zdziarski’s research, WhatsApp stores a forensic trace of your chats. In all cases, the deleted SQLite records remained intact in the database. The file itself can be marked in such a way that it will not be backed up.
